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Introduction 


This fifth annual study is the Defense Security 
Service's (DSS) primary counterintelligence 
(CI) tool for security professionals. The data 
presented in this study is based solely on 
reports of suspicious foreign activity sent to 
DSS by Industrial Security Representatives 
and Special Agents. This information is 
based on information provided by cleared 
defense companies and cleared employees that 
experience foreign suspicious activity. DSS 
believes that this publication provides general 
information and conclusions that help cleared 
companies and DSS personnel recognize and 
report suspicious foreign activity so that DSS 
can assist cleared companies enact responsive, 
threat-appropriate, and cost-effective security 
countermeasures (SCM). DSS’ proactive pro- 
vision of relevant threat information for 
cleared contractors should further sensitize 
them to deter and detect suspicious foreign 
activity. Numerous government agencies also 
use this summary of reported information to 
analytically confirm or deny assessments of 
technology targets, to identify suspicious for- 
eign actors, and to strengthen and supplement 
their investigative missions. 


Key Judgments 


Countries conducting conventional and 
nuclear arms races will seek U.S. defense con- 
tractors' weapons, sensors and countermea- 
sures to obtain an advantage. Other foreign 
technology collection efforts will continue to 
address force modernization, economic com- 
petition, and commercial modernization, and 
will frequently target technologies with dual- 
use applications. 


Foreign collection activities will continue to 
use automated systems to generate e-mail 
requests, solicitations, and website promoted 


inquiries. Suspicious Internet contacts will 
continue while use of the postal system and 
facsimiles will continue to decrease. Entities 
in developing countries will continue to mail 
inquiries and solicitations with postage. 


Foreign entities exhibit frustration when effec- 
tive SCM deny them sought information. In 
2000, some companies denied and ignored 
requests similar to those foreigners made in 
1999, which surfaced at other companies 
involved in similar research, technology and 
products. Due to the increased denial and 
non-response by cleared defense industry to 
foreign requests for information, foreigners 
will employ other collection methods and tar- 
get different cleared facilities. This highlights 
the importance of reporting suspicious activi- 
ty across the nation and overseas. Otherwise, 
DSS cannot monitor foreign entities, provide 
warnings, and detect and neutralize foreign 
threats. 


Foreign suspicious activities that were predi- 
cated by or occurred in the conduct of a 
Foreign Military Sale (sometimes U.S. 
funded) will continue and may increase in 
2001. 


The increase in foreign targeting of machinery 
and fabrication technologies noted in 2000 
will continue, perhaps increasing in 2001. 
Many protection discussions have addressed 
the economic threat posed by foreigners 
"reverse engineering” U.S. military products 
and acquiring manufacturing technology. 
(Although acquisition of manufacturing 
machinery is a threat, the greater threat is 
associated with countries acquiring other fab- 
rication technology and production processes.) 


Global business environments will continue to 
provide some degree of cover for foreign gov- 
ernment-sponsored targeting of specific tech- 


nologies and these suspicious incidents at U.S. 


cleared facilities are assessed to increase in 
2001. 


Executive Summary 


Country Trends: In 2000, DSS received 
reports of suspicious activities concerning 
interests associated with 63 countries. The 
number of countries associated with targeting 
cleared defense contractors has increased 
since the start of this report. In 1997, 37 
countries were linked to suspicious activity as 
compared with 47 in 1998 and 56 in 1999. 
DSS associates this increase with increased 
threat awareness by DSS field personnel and 
cleared defense contractors. These reports 
indicate that the majority of countries target- 
ing cleared industry have limited advanced 
military capabilities (v. none) and are seeking 
technological advancement. In some 
instances countries possess older models and 
are attempting to upgrade specific sub-sys- 
tems on a given platform. 


Technology Interest Trends: The extent of 
foreign interest and collection methodology 
employed against specific technologies varies 
dramatically, from a passive request to sophis- 
ticated collection activities using various 
Methods of Operation (MO). The majority of 
targeted technologies, as well as those associ- 
ated with Department of Defense (DoD) pro- 
grams and weapons systems, was covered by 
the International Traffic of Arms Regulations 
(ITAR). As noted in 1998, foreign entities 
continue targeting weapon components, devel- 
oping technology, and technical information 
more intensely than complete weapons sys- 
tems and military equipment. For the first 
time in five years, suspicious activity reports 
concerning critical technologies do not 
include every militarily critical technology 
category. Foreigners targeted sixteen technol- 


ogy categories for military and/or economic 
exploitation. Directed Energy Systems and 
Weapons Effects systems received no report- 
ing from cleared DoD contractors in 2000. 


Most Frequently Reported Technology 
Targets: Technologies generating most for- 
eign interest in 2000 included information 
systems, sensors and lasers, aeronautics sys- 
tems, armaments and energetic materials, and 
electronics; in that order of frequency. 


Most Frequently Reported Foreign 
Collection Methods of Operation (MO): MOs 
are the techniques employed by a foreign enti- 
ty to collect intelligence or scientific and tech- 
nical information against a given target. MOs 
associated with potential collection efforts in 
2000 are as follows, ranked in order of fre- 
quency of occurrence: 


* Request for Scientific and 
Technological (S&T) information. 
* Soliciting and marketing of services. 
¢ Acquisition of U.S. technology/company. 
* Inappropriate conduct during foreign 
visits, 
* International conventions, seminars, 
and exhibits. 
* Exploitation of Internet (hacking). 
* Exploitation of joint venture/research. 


Unsolicited requests for information was the 
most frequently used collection method 
employed by foreign interests in 2000. While 
foreign interests employed a variety of meth- 
ods, the methods are consistently similar to 
those reported during 1995-1999. Foreign 
collection methods and their frequencies are 
described in page 15. Enclosed Appendix 
identifies suspicious indicators and SCM that 
may mitigate the potential threats associated 
with these MOs. 


Reporting 


DoD Directive 5240.2 requires DSS to assist 
industry in recognizing and reporting suspi- 
cious activity. Cleared companies and DSS 
responded well in 2000, as in previous years. 
This active response continues a trend of 
increased awareness and reporting. The fol- 
lowing criteria is used in assessing potential 
foreign collection efforts: 


* Technology is classified/export-con- 
trolled. 

¢ Information has national defense/mili- 
tary application. 

* Redundant requests from same coun- 
try for each technology target. 

« Identifying consistent patterns across 
government agencies reporting on 
collection efforts by that country. 

¢ Foreign entity is affiliated with for- 
eign government defense organiza- 
tion. 

* Request/offer is from an embargoed 
country. 

* Possible front company and know 
technology target. 


All threat information is evaluated in the con- 
text in which it takes place. DSS CI evaluates 
the military criticality of the requested infor- 
mation, whether it exists at the cleared 
defense contractor facility, association of the 
foreign collection method to those reportedly 
used by foreign intelligence services, history 
of suspicious activity by the foreign entity, 
and access of the contacted, cleared employee 
to the requested information. Only then can 
DSS CI apply a value to the threat informa- 
tion and then more rigorously analyze the 
information, if warranted. Foreign targeting, 
of interest to DSS, includes any classified 
technology, technology requiring an export 
license, technology listed in the International 
Traffic in Arms Regulation (ITAR) or Military 


Critical Technology List (MCTL). (Only 2% 
of technologies targeted included recognizable 
classified technologies. As this is the first year 
identifying the classification of a technology. 
DSS assesses that there will probably be an 
increase in detection of targeting classified 
aspects next year.) 


MOs of interest to DSS include economic and 
industrial espionage activities related to an 
intelligence, scientific or technical collection 
operation. These activities normally involve a 
complimentary set of actions that vary based. 
on a nation's culture, political system, busi- 
ness practices, and resources. These MOs 
include but are not limited to the following: 
request for information, violation of foreign 
visit protocol, exploitation of joint ventures, 
acquisition of U.S. companies or technologies, 
hacking, targeting cultural commonalties, tar- 
geting at international conventions, solicita- 
tion and marketing of services, exploitation of 
foreign employees, foreign collection against 
U.S. travelers abroad, and targeting former 
employees. 


Submitted incident reports continue to empha- 
size the importance of using company Facility 
Security Officers (FSOs) as the central coordi- 
nation point for each cleared company and 
each cleared employee. FSOs ensure timely 
and comprehensive review, of reported inci- 
dents, recognition of suspicious indicators, 
and reporting of suspicious activity. Special 
agents and industrial security representatives 
are encouraged and reminded to coordinate 
certain security activities among themselves 
when appropriate. Sometimes including the 
FSO in these discussions can be a security 
force multiplier. 


Whether for investigation or analysis, report- 
ing helps educate industry, security, and CI 
professionals about foreign collection meth- 
ods employed against U.S. industry. Thus, to 


provide thorough research and response, DSS 
Industrial Security Representatives refer to 12 
information requirments listed in DSS ISOM 
section 1-5-302. Because the DSS CI Office 
needs to know some information in the great- 
est detail possible, the FSO may be able to 
help identify: 


* The ultimate target (understandable 
description of technology, system, or 
research), 

¢ Foreign identity (name, affiliation, 
descriptive features, previous contact, 
and postal and electronic addresses). 

* Circumstances of the incident and back- 
ground information (e.g., "met at con- 
vention in 1998," "denied a visit in 
1999," "prime ignored several requests 
before foreigner approached us [sub- 
contractor]"). 

* Suspicious activity (e.g., called a few 
times and e-mailed inquiring about pro- 
gram or technology) 


Timely reporting of suspicious foreign 
activity enables DSS to evaluate foreign col- 
lection activity immediately, recommend 
threat-appropriate SCM, and expedite 
referrals to U.S. government agencies that 
can neutralize and exploit foreign efforts. 


DSS has successfully contributed to govern- 
ment intelligence and law enforcement activi- 


ties that resulted in the neutralization of for- 
eign threats. In 2000, local referrals of 
exploitable information to government law 
enforcement activities increased as did result- 
ant intragovernmental success in neutralizing 
threats. 


Cleared company reporting also indicates 
numerous successes in applying appropriate 
SCM to potentially threatening situations. 
Based on information provided to DSS, 
cleared companies refused tours to unautho- 
rized visitors, did not respond to suspicious 
foreign requests for information, asked for 
(and received) additional information from 
foreign entities, refused inappropriate visit 
sponsorship requests, used effective escorts to 
control visiting delegations, and questioned. 
foreign entities about the reason(s) for their 
inquiries. This professional handling of for- 
eign requests proved useful in identifying and 
reporting inappropriate foreign interests. 


Most successes closely align with SCM out- 
lined in the DSS brochure, "Suspicious 
Indicators and Security Countermeasures for 
Foreign Collection Activities Directed 
Against the U.S. Defense Industry." See 
Appendix for updated version. The expansion 
of indicators in this update indicates DSS and 
cleared defense industry security awareness 
training has been effective. 


Country Section 


Since 1997, the number of countries associat- 
ed with suspicious activities has continued to 
increase. The number of countries that are 
suspected of targeting U.S. critical technology 
is not entirely synonymous to those identified 
in cleared contractor reporting to DSS in 
2000. Many countries exhibit interest in the 
same technologies. Newly identified coun- 


Table 1 


tries, for the most part, were developing 
nations which may be interested in upgrading 
existing defense systems or developing a 
countermeasure that yields a battlespace or 
warning advantage. It is possible that some of 
the newly identified countries were collecting 
for other nations, whose own collection 

efforts have failed or need to be 

supplemented. 


# of countries with identified 44 37 47 
_ collection involvement 


Figure 1 


Worldwide Targeting Efforts 


BB Asia - 37% 
HB Europe - 19% 
i Eurasia - 21% 


Middle East/North Africa - 18% 
South America - 4% 
HE sub-Saharan Africa - 1% 


Non Targeting 


The map above denotes regions of the world from where collection efforts report- 
edly originated. The percentages indicate the level of collection activity reported 
in 2000. The map does not imply national level support of the collection activity. 
The collector may have based their operation in a third country to conceal inten- 
tions such as the ultimate end-user of the research or technology. 


Figure 2 


Sponsorship 


Technology 


DSS documents and reviews foreign interest 
in critical U.S. defense technology in 18 cate- 
gories. The Militarily Critical Technology 
List (MCTL) is the primary reference for DSS 
to identify and describe militarily critical tech- 
nologies and sub-categories. The MCTL, 
especially Volume III, is a detailed and struc- 
tured compendium of the emerging technolo- 
gies the DoD assessed to be critical to main- 
taining superior United States military capa- 
bilities. The MCTL can be found on the 
Internet at www.dtic.mil/mctl. DSS employ- 
ees should reference these volumes to identify 
technical or operational significance when 
addressing a suspicious incident. 


A review of suspected targeting incidents in 
2000 has found, for the first time in five 
years, that only 16 of 18 categories of critical 
technology were reportedly subjects of foreign 
interest for military and economic exploita- 
tion. Reports from all previous years 
involved at least one report relevant to each of 
the MCTL categories. Directed Energy 
Systems and Weapons Effects systems 


| Government sponsored 


|| Government affiliated 


[J Commercial 


BB individual 


received no reporting from cleared DoD con- 
tractors in 2000. The extent of foreign inter- 
est in the remaining technology categories 
varies dramatically. In some cases, nations 
were associated with targeting all technology 
categories while others were only associated 
with targeting a single technology. 


Information Systems (IS) was the most widely 
sought militarily critical technology category 
in 2000, as it was in 1999. IS showed the 
greatest targeting interest with 33 of the 63 
countries associated with suspicious collection 
activity. Sensors and Lasers was the second 
most targeted technology with 24 countries 
involved in collection efforts. Tied for third 
most widely sought technology was Marine 
Systems and Armament & Energetic Materials 
technology. Seventeen countries were associ- 
ated with collection efforts targeting each of 
these. The statistics discussed in this section 
are based solely on those technologies identi- 
fied in suspicious activity reporting from 
cleared contractors. 


Because of varied technology applications and 
the wide range of military and economic for- 


Table 2 
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eign interests, cleared contractors are encour- 
aged to provide additional application details. 
Identification of how the foreigner intends to 
use the U.S. technology, such as military 
acquisition, helps DSS analysts determine for- 
eign trends, intentions, actual targets, planned 
usage, and the program or upgrade with which 
the technology is, or may be, associated. 


DSS believes that when we identify all specif- 
ic technologies that have been targeted by for- 
eign interests, this increases the threat aware- 
ness of cleared companies, DSS agents, and 
industrial security representatives. On the fol- 
lowing pages, these specific technologies are 
indentified in each militarily critical technolo- 
gy category. DSS hopes that this increased 
awareness will promote relevant security con- 
siderations and additional reporting of suspi- 


cious incidents that may not have been previ- 
ously noticed. Because many cleared compa- 
nies are involved with many technology areas, 
DSS values identifying the percentages of for- 
eign technology targeting efforts. This infor- 
mation may assist cleared companies to com- 
pare and contrast relevant threat data and 
decide upon threat-appropriate security meas- 
ures and countermeasures. 


The majority of defense technologies targeted 
in 2000 was components vice complete sys- 
tems. This trend has continued to increase 
since 1998 when DSS first noticed developed 
and developing countries were upgrading 
existing platforms. Most frequently reported 
technology targets by MCTL Category and 
volume of reports were: 


Information Systems remained the most 
sought militarily critical technology category 
in 2000. IS showed the greatest diverse inter- 
est from 33 of the 63 countries associated 
with suspicious activity. IS are pervasive in 
virtually all military, commercial and industri- 
al activities, and all levels of government. 
This may explain the 100+% increase in 
reported Information Security targeting over 
1999 reporting. The greatest increases in for- 
eign targeting occurred in information securi- 
ty, transmission systems, and software sys- 
tems sub-categories. 


Information Security technologies are vital to 
U.S. warfighter capabilities. Uses of IS 
encompass a wide range of applications from 
IS embedded in individual smart weapons and 


Table 3 


sensors, to local processing and communica- 
tions systems, including transportable and per- 
sonal hand-held devices, to international wide 
area computer networks. Access to these 
technologies by potential adversaries could 
enhance the performance of foreign military 
systems and could be used to counter U.S. 
capabilities. 


Significant foreign interest in 2000 included: 
modeling and simulation technology (military 
training systems), C41 such as: HF, VHF mili- 
tary radios, and INFOSEC encryption devices 
(KG-194, KG-84 a/c, KIV-7HS, KG-81, KG- 
94), TEMPEST equipment, firewall and intru- 
sion detection technology. Other reports con- 
cerned SATCOM systems and signal process- 
ing components. 


Collection Incidents per Sub-category per Year 
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Transmission systems saw the greatest increase in targeting in 2000. Transmission systems 
include equipment and components used for transfer of voice, data, record and other information 
by electromagnetic means; through atmospheric, exoatmospheric, or subsurface media or via 
metallic or fiber-optic cable. The information being exchanged is predominantly in digital form of 


voice, text, graphics, video and databases. 


Significant interest in acquiring communications security devices was noted due to good 
reporting in 2000. Several DoD contractors received requests to purchase encryption 


devices, one incorporating Firefly technology and the other used for digital and voice bulk 
encryption. Other reports indicated foreign interest in the "VINSON communications securi- 
y equipment" and another military communications security product. 


Sensors and Lasers remained the second 
most frequently targeted defense technology 
reported by cleared contractors and foreign 
targeting increased by 2 percent. There were 
24 nations associated with targeting sensor 
and laser technologies. Five countries 
accounted for 63 percent of these incident 
reports. Those countries with superior sensors 
have a significant advantage over an adver- 
sary. Arms races are excellent examples of 
why countries seek early warning advantages, 
hence advanced sensors, to monitor neighbors 
and regional threats. Though targeted sensors 
were greatly varied systems with diverse func- 
tions, their commonality is that U.S. state-of- 
the-art sensors are generally better than the 
rest of the world. 


Targeting in the electro-optical field tripled. 
Electro-optical sensors are typically used for 
night vision devices and for terminal guidance 
for smart weapons. This equipment ranges 
from night vision goggles for individual per- 
sonnel to large telescopes, vehicle driver sys- 
tems and weapons sights. The majority of 
sensor targets in 2000 involved night vision . 
These critical systems depend on second and 
third generation image intensifier technology; 
micro-channel plate amplifiers and com- 
pounds, semiconductors, and photo-cathode 
tubes. 


In one 2000 case, military representatives continually requested third generation imaging 


technology. ‘Some countries define third-generation systems as those using large two-dimen- 
sional staring Focal Plane Arrays (FPAs).. At least one foreign firm currently markets its 
staring system under a third generation label because it uses a’ 320X240 InSb FPA. In the 
U.S., the definition of third-generation systems is still being formed. Third generation sys- 


‘tems are often reserved for aviators or tank drivers who are moving at fast speeds and need 

- to process information quickly. If exported, tankers and pilots would most likely use.request- 
ed night vision devices militarily. Normally, ground units receive second generation devices. 
In this country, night vision devices observed being utilized by foreign military personnel 
were in poor condition, NOT operationally ready. DSS notes that dire needs contribute to. 
foreign technology collection activity. 


Other targeted technologies included under- 
water acoustics, infrared (IR) detectors, air- 
bome and ground radar, imagery dissemina- 
tion software, digital terrain data, IR imagery, 
optical night vision products, photonics, ther- 
mal imaging camera, antisubmarine warfare 
(ASW) acoustic detection systems, electro- 
optic sensors, passive communications inter- 
cept and electronic intercept receivers. Laser 
technologies targeted in 2000 included radars, 


Table 4 


range finders, pulsed lasers and U.S. designs. 
Note comparisons to previous years. 


The “other" sensor category currently pertains 
to passive communications and electronic 
intelligence receivers for land, air, and sea 
employment and other detection and surveil- 
lance devices not affiliated with specified cat- 
egories. 


Collection Incidents per Sub-category per Year 
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Aeronautics Systems was the third most fre- 
quent technology target while foreign target- 
ing efforts directed against it remained at 9 
percent of total reporting. Identified 2000 tar- 
gets included: EA-6B, F-15, U.S. CH-47, F- 
22 aircraft, Unmanned Aerial Vehicles 
(UAVs), and ALQ-144 airborne infrared 
countermeasures set for helicopter surviv- 
ability. 


There were 15 countries associated with sus- 
picious activity directed against aeronautic 
technologies. One country accounted for 4 of 
23 targeting efforts associated with aeronau- 
tics systems followed by another country's 
interest (3 collection attempts) targeting com- 
ponents of U.S. special electronic mission air- 
craft. 


Incident: a foreign firm recently requested UAVs from a cleared DoD contractor for an 


unspecified foreign client (third country) that was believed to be embargoed. The two coun- 


"tries, requestor and client, have been negotiating the upgrade of an embargoed nation's 


UAV. The embargoed nation's UAV research and development activity has been minimal to 
non-existent since the mid-1980s due to embargo constraints, poor maintenance, a lack of 


skilled operators and limited funding. In the past ten years, two countries have offered the 
embargoed nation advanced UAV technology upgrades to include composite aircraft materi- | 
als, equipment and technical assistance. The embargoed nation also sought upgrades for 

the UAV program from a number of nations. The embargoed nation's UAV program may — 


continue and may become more of a threat to regional U.S. interests and U.S. forces. 


UAVs have made greater strides over the past 
18 months, in terms of widespread acceptance 
by the user community. Unmanned systems 
are now beginning to be seen as cost-effective 
and advanced-technology alternatives to 
manned platforms. Several factors have con- 
tributed to this rapid development. UAVs 
were employed by at least five NATO mem- 
ber countries during last year's Operation 
Allied Force over Kosovo. This provided 
valuable experience and taught several impor- 
tant lessons. UAVs confirmed their value to 
the warfighter for intelligence, surveillance 
and reconnaissance, and combat support 
applications. They also demonstrated the 
flexibility required for rapid changes “on the 
fly” to meet emerging needs beyond their tra- 
ditional role, such as working with airborne 
forward air controllers in F-16s. This infor- 
mation is provided to explain why foreigners 
who were initially interested in manned air- 


Table 5 


craft may become interested in UAVs. This 
change of interest, per se, is not cause for con- 
cern. Export controls should regulate foreign 
acquisition attempts. 


Several suspicious incidents occurred during 
approved foreign military sales. A foreign 
aviator wanted to know the difference 
between the U.S. F-15 and the export model 
his government received. On five separate 
occasions foreign Air Force officers 
approached cleared DoD contractors request- 
ing information regarding the differences 
between the U.S. F/A-18D and the version 
their country received as well as the versions 
that the U.S. provided to Spain and Singapore. 
Additional questions concerned various equip- 
ment associated with the F/A-18D including 
AN/ALQ-126 processor, AN/ALE-47 counter- 
measures dispenser system, and the AN/ALR- 
67 (V) advanced special receiver. 


Collection Incidents per Sub-category per Year 


Unmanned aerial vehicles 


Armaments and Energetic Materials 
include those required to develop and pro- 
duce in quantity safe, affordable, storable, 
and effective conventional munitions and 
weapons systems of superior operating capa- 
bility. These include infantry and crew serve 
weapons systems, ammunition, artillery 
weapons systems, torpedoes, depth charges, 
bombs, land and sea mines, demolition 
devices, high explosives, kinetic energy and 
pyrotechnic warheads, projectiles, sub-muni- 
tions, fuses, safety and arming devices and 
other components. 


Table 6 


Technologies targeted in 2000 include TOW 
missile, R-77 medium range missile, flame 
spray gun, large caliber ammunition, fuse 
technologies, cruse missile technology, 
sidewinder AIM-9P missile, Mark-45, and 
PAC 3 including classified performance 
characteristics and safety systems. Five 
countries were associated with the vast 
majority of targeting. 


Collection Incidents per Sub-category per Year 
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Electronics Foreign targeting of electronics 
technologies decreased 2 percent to 8 percent 
in 2000, moving it from third to fifth place. 
The majority of targets concerned defense 
applications of dual-use electronics such as 
microwave components, wafer fabrication, sil- 
icon photodiodes, high voltage systems for 
night vision goggles, tank sites, rifle scopes, 
and tempest/hardening of equipment. 


12 


An embargoed nation led foreign entities tar- 
geting electronic technologies, accounting for 
23% of reports. Three other countries 
accounted for 10% each of reports concerning 
this technology. Due to the nature of reported 
incidents it is clear foreigners were interested 
in military applicable electronics, although 
only 9 fit neatly into sub-categories. 


Table 7 


Collection Incidents per Sub-category per Year 


a 
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*Many optoelectronic targets in 1997 may have concerned sensors. Detailed 1998- 
2000 reporting helped DSS identify optoelectronic targets that were being applied to 


sensors. 


Marine Systems remained (and now tied) in 
fifth place accounting for 6 percent of foreign 
targeting. However, actual incidents declined 
by 3 percent. Specific technologies targeted 
included submarine propulsion systems, ship 
and submarine construction, swimmer deliv- 
ery vehicle (restricted version), underwater 
tracking systems, amphibious assault ships, 
submarine masts, and driver propulsion 


Table 8 


vehicles. Several targeting efforts involved 
the Navy's DD-21 Program. Foreign interest 
in U.S. antisubmarine warfare continued at the 
same level as 1999. Several foreign contacts 
concerned marine systems but not specifically 
these sub-categories. Other targets included 
aircraft carrier and runway specifications, port 
data, and ship building techniques. 


Collection Incidents per Sub-category per Year 


N/A means that no reports indicated these specific technologies were targeted. 
Other marine systems such as engines were targeted in 1996. 


Chemical/Biological Systems targeting 
increased by 1 percent to more than 3 percent, 
moving it from fourteenth to sixth place. 
Chemical and biological systems address bio- 
processing, chemical manufacturing; chemical 
and biological defense systems; chemical and 
biological detection, warning, and identifica- 
tion; battlefield environment; and human fac- 
tors. The majority of foreign requests in this 
category were for published research. 


Manufacturing and Fabrication Collection 
efforts directed at manufacturing and fabrica- 
tion technologies also increased by 1 percent 
to nearly 3 percent, moving it up to seventh 
place. Technologies covered under manufac- 
turing and fabrication include those required 
for the production of military hardware. In 
most cases the technologies, the equipment 
and the know-how are dual use. All countries 
engaged in the production of military 
weapons, munitions, and systems possess, to 
some degree, technical know-how in this area. 
Frequently U.S. techniques rather than equip- 
ment are targeted by foreign entities. 


Signature Control Signature control technol- 
ogy is critical to certain U.S. weapons systems 
because it reduces an adversary's ability to 
detect, track, monitor and engage during com- 
bat operations. This technology may increase 
the ability of the U.S. to detect foreign 
weapon systems that have low observable fea- 
tures. Targeting associated in this area 
decreased by 1 percent to just under 3 percent. 
One key area of foreign interest (particularly 
for one country) was stealth associated with 
anti-submarine warfare. 


Power Systems Electric power drives sub- 
systems and systems in hundreds of U.S. mili- 
tary platforms and end-items. These various 
applications dictate military requirements for 
power level, power reliability, ruggedness, 
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packaging and ability to operate in a variety 
of environments. Foreigners targeted pulsed 
power generators and flat cell technology. 


Guidance, Navigation and Vehicle Control 
Targeting associated with guidance, naviga- 
tion and vehicle control decreased 2.5 percent 
in 2000, moving it from seventh to ninth 
place. Specific targeted technologies included 
global positioning system (GPS) and gyro- 
scopes. 


Space Systems Space and space technologies 
are vital for the military, defense, and eco- 
nomic security of the United States. Space 
technologies include platform electronics and 
computers, optronics, power and thermal man- 
agement, propulsion systems for space sys- 
tems, and sensors for space systems. 
Technologies targeted in 2000 included soft- 
ware associated with satellite operations, 
satellite brackets, and sensors and electronic 
modules. 


One suspicious incident involved a foreign 
engineer from an embargoed "Research 
Organization for Science and Technology's 
Mechanical Engineering Department" request- 
ing hardware equipment for small satellites. 
He stated that he was building a satellite for 
the purpose of conducting research. However, 
satellites are usually operational before they 
can conduct research. 


Materials Many classes of materials inher- 
ently have both military and commercial 
application. Critical materials provide specif- 
ic military advantages and cover the physical 
properties, mechanical properties, behavior, 
and processing required to achieve that advan- 
tage. Technologies targeted in 2000 included 
abrasive media, casting processes, high mod- 
ule carbon fibers, and ceramic technologies. 


Nuclear Power Systems critical components 
include technologies for processing man-made 
fissile materials, for processing and handling 
highly radioactive and corrosive materials, for 
producing plutonium and tritium reactors, and 
for producing and assembling nuclear 
weapons components. Targets in 2000 includ- 
ed ion-implanted/surface barrier, fabrication 
and manufacturing techniques. 


Ground Systems address technologies, 
excluding weapons systems, associated with 
combat vehicles that enable these systems to 
be superior to opposing systems in combat. 
Despite the high percentage of dual-use tech- 


Foreign Collection Methods of Operation 


Statistical accuracy on foreign collection 
methods of operation (MO) has improved in 
2000 due to more detailed reporting from 
cleared defense industry. 


Table 9 


nologies applied to military air, ground and 
sea vehicles, unique physical and operational 
capabilities are often required. Targets in 2000 
included robotic vehicles, tank systems fuel 
components and armored vehicle track 
designs. 


Information Warfare is defined as actions 
taken to achieve information superiority by 
affecting adversary's information, information 
based processes, and computer based net- 
works while defending one's own information. 
Technologies targeted in 2000 include pin 
diode switches (used in communication jam- 
mers), and command and control warfare 
technology. 
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Suspicious Foreign Requests for 
Information (RFI). Incidents involving RFI 
continue to be the most frequently reported 
MO; accounting for 41 percent of the total 
activity recorded in 2000. This represents a 4 
percent decrease from 1999, Included in this 
category is any request not sought, or encour- 
aged by the cleared company, which is 
received from a known or unknown source 
(usually foreign), which concerns classified, 
sensitive, or export controlled information. 
The information targeted in 2000 included 
classified, sensitive but unclassified (which 
frequently is company proprietary products, 
information, software and processes), and 
export-controlled information. Requests orig- 
inated from foreign government organizations, 
government-sponsored or affiliated organiza- 
tions (laboratories and institutes), foreign 
commercial activities, and foreign individuals. 
While the recipient may not directly solicit the 
request, the inquiry may actually have been 
indirectly solicited. An example of an 
unwanted, but indirectly solicited request is an 
incident where a cleared defense contractor's 
product was reviewed in a trade journal and 
the company subsequently received a number 
of suspicious, but "solicited," reader-service 
card inquiries from an embargoed country. 


Between 1998 and 2000, DSS saw an increase 
in the reporting of requests for information 
from countries that do not normally conduct 
business with the U.S. such as embargoed 
countries. These requests accounted for 50% 
of all foreign attempts to collect International 
Traffic in Arms Regulated (ITAR) information 
and technology. A commonality in the vast 
majority of these suspicious contacts, was that 
the request was for informational exchanges 
requiring an export license in accordance with 
the ITAR. RFI received from countries with 
highly restrictive political, social and business 
environments still favor the use of the postal 
system. This does not imply that only embar- 


goed or restricted countries rely on traditional 
written correspondence. In fact, ironically, 
the majority of suspicious letters originated 
from countries with developed electronic con- 
nectivity to the U.S. 


From 1997 to 1999, DSS reported an increase 
in the use of the "thesis or scholarly request" 
strategy. This trend remained constant in 
2000 reporting. The thesis request usually 
targets a specific individual at a cleared facili- 
ty. The "student" will state he/she is working 
on a thesis, likely in a field indirectly related 
to a protected U.S. technology. The student 
then states that he/she located the U.S. 
employee's name while conducting initial 
research, The student will ask for whatever 
assistance the cleared employee can provide, 
including articles. The information requested, 
including copies of technical articles, might 
provide new information confirming existing 
assumptions about U.S. technology and serve 
as a means to identify targets for exploitation. 


One such student from Europe requested 
"integrated logistics support" software tech- 
nology, which just happened to be classified 
information. The cleared facility was working 
on technical and specialty engineering pro- 
grams at the time. Another frequently used 
tactic is the "model builder". The model 
builder asks for specifications, which most 
likely would not affect the design of any 
model such as cockpit or turbine engine 
specifications. 


An increasing trend observed in 1999 and 
again in 2000 concerns suspicious requests 
from foreign universities and research insti- 
tutes. A majority of these entities are state 
funded and are heavily involved in military 
applicable technologies. Representatives of 
the research centers attempt to collect infor- 
mation on foreign technology through the use 
of technology exchanges and discussions with 


experts. These collection operations involve 
identifying and contacting experts in various 
fields of interest and forming greater coopera- 
tion with U.S. defense contractors and mili- 
tary Research, Development, Test, and 
Engineering (RDT&E) facilities. Some e- 
mails of this type were received by cleared 
employees and foreigners’ e-mail addresses 
could in no way be associated with the insti- 
tute or university. One used hotmail and 
maintained anonymity until the cleared 
employee inquired, "Who do you work for 
and what will you use this [technology] for?" 
Often at this point, as in this case, foreigners 
provide enough details for the company to 
know whether to proceed with discussions. 
Cleared companies have expedited this type of 
information to DSS several times which led to 
a number of arrests by other U.S. government 
agencies. 


Since 1998, the Internet continues to be a sig- 
nificant source of foreign collection of U.S. 
DoD technologies. The use of the Internet as 
a collection tool used by foreign entities to 
collect U.S. technology and technical informa- 
tion accounted for 27 % of all suspicious con- 
tact reports made to the DSS by cleared 
defense industry. This percentage reflects the 
growing role of the Internet in conducting 
business. A wealth of once protected techni- 
cal and proprietary information is now easily 
retrievable by individuals from around the 
world. For example, a cleared defense con- 
tractor was surprised when he received an e- 
mailed RFI regarding his company's mapping 
software from an embargoed foreign compa- 
ny. The contractor's e-mail address was listed 
as a point of contact on the small company's 
web site which also highlighted the company's 
technological advances in mapping software. 


There continues to be a sharp increase in the 


use of the Internet by foreign entities as a tool 
to identify potential targets and to facilitate 
the actual collection of information. The 
Internet provides a simple, low-cost, non- 
threatening, risk-free means of worldwide 
access to U.S. defense technology. E-mail 
and WEB-chat exchanges are inconspicuous 
and can bypass many traditional security safe- 
guards, directly reaching the targeted individ- 
ual. Requests over the Internet continue to 
account for almost half of the total Internet 
reporting. Cleared contractors who most 
often report Internet based requests have 
active monitoring solutions in place to protect 
their unclassified web sites. These contractors 
regularly incorporate security with their web 
site design and advertising. 


DSS attempts to determine whether cleared 
defense web-based advertising predicates for- 
eign suspicious requests. When a suspicious 
report is made to DSS, our industrial security 
representatives and special agents ask the 
cleared defense company if they believe their 
web-based advertising caused the foreign con- 
tact or request and why they think the request 
is suspicious. Indicators that make requests 
suspicious are: the cleared defense company 
does not normally conduct business with the 
foreign sender, the request originates from an 
embargoed country, the request is in fact 
unsolicited or unwarranted, it appears the 
requestor is utilizing a third country return 
address, the requestor makes claims he/she is 
representing an official government agency 
but has gone outside of channels to make the 
request, the initial request is directed at an 
employee who does not know the sender and 
is not in the sales or marketing office, the 
sender appears to be fishing for information, 
the requestor represents a third party who is 
not identified, the requestor is located in a 
country with a targeting history directed at 


US. cleared defense industry, or the sender 
appears to be avoiding controls or circumvent- 
ing established procedures, such as avoiding 
export license application. 


In many circumstances, when foreign individ- 
uals attempt to skirt controls, they will mask 
their true intentions and e-mail several similar 
requests for information. These requests are 
usually innocuous and not threatening. The 
reason for this is foreigners are trying to mask 
their collection activity. Their goal is to 
establish credibility in order to obtain more 


sensitive and sometime classified information. 
For example, over a period of ten days a U.S. 
cleared defense company received three for- 
eign e-mailed requests asking the company to 
provide its software development product to 
the foreign sender. The foreign sender was 
the same in each case but the sender used 
multiple e-mail addresses. 


Foreign scientists and engineers have initiated 
contact with U.S. companies/employees from 
each type of establishment listed below. 


Table 10 
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Solicitation and Marketing of Foreign 
Services moved into second place on our list 
of most frequently used foreign collection 
methods. Solicitation and marketing of serv- 
ices was the third most frequently reported in 
1999, moving up from fourth place in 1998. 
Consistent with past reporting; individuals, 
companies and research facilities offer their 
technical and business services to U.S. 
research facilities, academic institutions and 
the cleared defense industry in 2000. These 
foreign entities also ask to represent the 
cleared company's product line in their coun- 
try or regional area. As in 1999, many of 
these solicitations concerned provision of 
foreign software services. 


One very popular approach to cleared defense 
industry is the "foreign scientist" seeking 
employment. Companies receiving such 
solicitations for jobs include facilities working 
on: nuclear engineering, electro-optics, ballis- 
tics, astrophysics, and materials. Other 
approaches include software support, intern- 
ships, invitation to ambassadorial programs 
and offers to act as sales or purchasing agent. 
Of growing concern is the use of foreign 
research facilities and software development 
companies located outside the U.S. working 
on commercial projects related to protected 
programs. Anytime a U.S. cleared facility 
relinquishes direct control of its processes or 
product to someone else, they are exposing 
technology to possible exploitation. 


_ In July 2000, a U.S. cleared defense contractor decided to purchase a phone system and 
solicited bids including foreign bids.. Due to prior training and liaison conducted between ; 
the company's FSO and DSS’ Industrial Security Representative, the U.S. company. : 

_ requested threat information concerning foreign bidders. Working with his DSS Field CI. 

. Specialist both realized immediately the threat to the U.S. entity. The U.S. entity, among 


other things, works on a contract for the. Marine Corps related to its theater level ballistic 

--missiles. Based on the information provided by the U.S. entity, the leading foreign bid. . 

~ came from a foreign entity which accounted for at least four suspicious contact reports . 
submitted by cleared defense industry to DSS-CI. In each report the same technology was 
targeted at U.S: cleared defense facilities -- information systems. ‘Also, the leading foreign 
bidder was the subject of many reports within the intelligence community.. Both DSS 
employees, relying on historical knowledge of the U.S. entity and the foreign threat to U.S. 
cleared facility, provided a threat appropriate response to the U.S. entity. The response . 
included a threat assessment produced by a U.S. military production center and directly - 

| addressed the threat inherent in the foreign bid to provide vendor services to the U. S. .com- 
pany. The document allowed the U.S. company to mitigate risks they did not want to incur 
- while trying to protect classified and Marine Corps information by assessing risks posed 
by the leading foreign bid, or any foreign vendor. The U.S. company selected a U.S. con- 
tract at.a higher cost. Ultimately, DSS saved a company's proprietary information and 
quale possibly Marine Corps technology from joreign exploitation. 
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Acquisition of Sensitive Defense Technology 
or Cleared Company Acquisition was the 
third most often used MO reported in 2000, 
up from fourth position in 1999. This is only 
the latest manifestation of an increasing trend 
to acquire sensitive technologies through pur- 
chase. Acquisition attempts accounted for 

88 % of reported suspicious incidents believed 
to involve a third party. Third party involve- 
ment indicates possible technology transfer or 
diversion. Third parties are not the actual 
entity acquiring the technology but are the end 
user or ultimate recipient. Reports involving 
third parties include either a country with a 
history of third party sales or a country used 
by other, often embargoed, foreign countries 
as a venue for purchase and collection. 
Statistics show no clear distinction between 
U.S. defense technology requested for pur- 
chase by developed and developing countries. 


Developing countries continue to consider, 
and seek purchase of, older U.S. military tech- 
nologies for varied reasons: older technology 
may not require a license, older equipment 
may be best incorporated into existing logis- 
tics and maintenance systems, old technology 
best suits critical shortages for a country at 
war, or a country cannot incorporate and 
maintain new technology because its industri- 
al base is inferior to U.S. level of technology 
sophistication. The purchase of U.S. products 
in small quantities may indicate reverse-engi- 
neering efforts that may help countries deter- 
mine whether their industrial/manufacturing 
systems can produce domestic models/copies. 


In 2000, sanctioned nations involved in border 
and landhold conflicts increased their attempts 
to acquire sensitive defense technologies, pri- 
marily sensors. Several resultant law enforce- 
ment actions were attributed to DSS reporting 
of these incidents. 


The majority of foreign purchase attempts in 
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2000 concerned TEMPEST equipment and 
encryption devices including the KIV-7HS, 
which are export controlled. Other requests 
include a wide range of technologies and sys- 
tems such as: HF ocean surface radar, strip 
detectors for x-ray radiation, long range laser 
finders, microwave control systems and accel- 
eration sensors. Some technologies may be 
sought with the stated intent for civilian use 
such as infrared (IR) lenses, but may have 
applications in larger ITAR controlled systems 
including focal plane array technologies, 
which are used in sensors and laser guided 
munitions. Some defense articles require 
more than a general export license for sale to 
a foreign country. The uses of freight for- 
warders and "cooperative U.S. based compa- 
nies" have been suggested by foreigners and 
may be employed because they give a foreign 
entity a U.S. address. The U.S. company is 
compromised because the final destination is 
not the U.S. but a location outside the U.S. 


Exploitation of Visits to U.S. Companies 
Reports concerning suspected exploitation of 
foreign visits at U.S. facilities was fourth in 
frequency of reporting. The term "foreign 
visitor" includes one time visits, long term 
visitors (such as exchange employees, official 
government representatives and students) 
and/or frequent visitors (such as foreign sales 
representatives). Suspicious conduct includes 
actions before, during and after a visit. The 
one factor which made many foreign visits 
suspicious was the extent to which the foreign 
visitor requested access to facilities or tried to 
discuss information outside the scope of 
approved activities or established procedures. 


In several incidents in 2000, foreign visitors 
ignored Technology Control Plans (TCPs). A 
TCP stipulates how a company will protect its 
technology. The plan establishes procedures 
to protect classified, proprietary, and export- 
controlled information, to control foreign visi- 


tor access, and to control access by non-U.S. 
employees. In one example, a group of senior 
foreign executives arrived at a scheduled 
briefing in a cleared facility and made a for- 
mal request for the meeting to be held at 
another facility nearby. The nearby facility 
was the facility containing the classified proj- 
ect. Suspicious indicators associated with 
foreign exploitation of visits to U.S. facilities 
traditionally include: 

« Behaving inappropriately during a visit: 
Wandering around the facility unescort- 
ed, bringing unauthorized cameras 
and/or recording devices into the cleared 
facility, or pressing for additional access 
or information and becoming irate upon 
denial. In one case, a foreign visitor 
excused himself from a conference stat- 
ing he needed to get his briefcase in the 
sponsor's office. Later he was found in 
the sponsor's office speaking on a tele- 
phone in a foreign language. He quickly 
ended the conversation when 
approached. 


Adding last minute and/or unannounced 
persons as part of the group. 


Making numerous requests for visits, 
despite repeated denials. 


Brokering a visit. A brokered visit is 
when a third party, who is not involved 
in the actual business transactions, acts 
on behalf of the prospective visitor to 
arrange for an invitation to be extended 
to the foreigner. Brokered visits become 
suspicious when the third party bypasses 
established foreign visit request proce- 
dures by going directly to a company 
employee to solicit an invitation for the 
visit. Brokers often cloak their clients’ 
employer until queried by the U.S. com- 
pany. 


* Arriving unannounced and seeking 
access by asking to see an employee who 
may belong to the same business organi- 
zation or who had attended the same 
business gathering as the foreign 
national. 


¢ Hiding true agenda such as trying to 
shift the conversation to topics not 
agreed upon. 


* Misrepresenting a visitor's importance or 
technical competence to secure visit 
approval. 


Targeting at Conventions moved up to fifth 
place in frequency of use by foreign entities. 
Conventions continue to provide a "target 
rich" environment for foreign intelligence col- 
lection as they directly link U.S. programs and 
technologies with knowledgeable personnel. 
International exhibits provide a unique oppor- 
tunity for foreign entities to study, compare, 
and photograph actual products in one loca- 
tion. Some technologies targeted at conven- 
tions include laser optics, obscuration smoke 
systems, submarine and ASW specifications, 
PAC 3 safety systems, and air defense tech- 
nologies. 


International seminar audiences are often 
comprised of leading national scientists and 
technical experts, who pose more of an 
exploitation threat than intelligence officers 
because the scientist's/engineer's level of 
technical understanding and ability can readily 
exploit U.S. technology and information for 
their nation's advancement. Foreign technical 
experts focus questions and request specific 
technical data that directly applies to their 
work. Reports show that during seminars, 
foreign entities attempt subtle approaches 
such as sitting next to a potential target and 
initiating casual conversation. This can estab- 
lish a point of contact that may later be sub- 


jected to exploitation. Membership lists of 
international business and/or technical soci- 
eties are increasingly used to identify potential 
USS. targets for introduction. Because the 
threat is designed to exploit the cleared 
defense employee, the approach will most 
likely be very subtle and unrecognizable. 
Most likely, the targeting will be directed at 
U.S. persons with cultural commonalties such 
as origin of birth, religion or language. 


Internet Activity (hacking) 


Targeting associated with exploitation of the 
Internet (hacking) fell back to 6th place. 
(NOTE: This category is not related to the 
Internet-based requests. Because DSS does 
not analyze or forensically investigate these 
incidents, our statistics may be limited to ini- 
tiative reporting by companies not referring 
these matters to the FBI. When received, DSS 
forwards these reports, sometimes with ana- 
lytical assessments or conclusions, to the 
FBI's National Infrastructure Protection 
Center.) 


The majority of foreign Internet activity was 
probing efforts. The computer probes are 
most likely searching for potential weaknesses 
in systems for exploitation. In one example, a 
network attack originated from Europe. The 
attack lasted over a period of a day. Several 
hundred attempts were made to use multiple 
passwords to illegally obtain access to a 
cleared facility's network. All attempts were 
logged by the firewall monitoring software 
and no malicious activity was encountered. 
The facility had the appropriate level of pro- 
tection in place to repel such an attack. By 
detecting probes, the cleared companies 
demonstrated they have the SCM in place to 
thwart attempts to penetrate their computer 
systems. Although probing a system is legal, 
once a port is breached a crime is committed. 
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Exploitation of Joint Venture/Research 
dropped into a tie for 6th place in frequency 
of reporting. This MO offers significant col- 
lection opportunities for foreign interests, as 
well as venues for expanding their industrial 
base or production capability without having 
to pay for the research and development. 
Joint venture reporting may have dropped off 
due to reporting inconsistencies. For exam- 
ple, some facilities may have reported a for- 
eign visit instead of the joint venture, which 
may have predicated the foreign visit. DSS 
tries to differentiate between joint ventures, 
which are also known as international pro- 
grams and cooperative agreements, from non- 
associated visits. Cleared companies can help 
DSS recognize this difference by informing 
representatives during security discussions. 
As with frequent foreign visits and other inter- 
national programs, joint ventures place for- 
eign personnel in close proximity to U.S. per- 
sonnel and technology and can facilitate 
access to protected programs. Also of con- 
cern is the placement of foreign workers in 
close proximity to protected operations. Once 
a foreign employee is in place for a long time, 
that foreign employee tends to assimilate into 
the standard workplace image, be more 
accepted and, therefore, security considera- 
tions become a lower priority. 


Indicators of suspicious activity in a joint 
research/venture include: the foreign worker 
seeking access to areas and information out- 
side the purview of the work agreement, 
enticing U.S. contractors to provide large 
quantities of technical data as part of the bid- 
ding process, and the foreign organization 
sending more foreign representatives than rea- 
sonably necessary for the project. Some tar- 
geting of joint ventures included advanced 
casting techniques, firewall and intrusion 
detection technology, laser head design (a 
patented melt-down manufacturing process), 
and simulator technology. 


Foreign Targeting of U.S. Travelers 
Overseas DSS saw increased reporting of 
foreign collection activities directed against 
US. cleared employees on official or business 


travel. Increased reporting prompted DSS to 
categorize this foreign collection activity as a 
distinct foreign method for collecting U.S. 
technology from U.S. cleared defense employ- 
ees. Suspicious incidents usually occurred 
during foreign travel on trains, at airports and 
in hotels. This category does not include inci- 
dents that occur at conventions, seminars, or 
exhibitions. This MO is in a three-way tie at 
sixth place for frequency of use by foreign 
entities. Events held on the collector's home 


territory leave U.S. business travelers vulnera- 
ble to exploitation by traditional Foreign 
Intelligence Services (FIS) technical means 
(for example, electronic surveillance) and the 
employment of entrapment ploys (such as 
inducement of the target into a compromising 
situation). Cleared defense contractors should 
review the type and amount of information 
contained in the registration, biographic and 
other materials requested by the host. A num- 
ber of official events cause U.S. business 
travelers to be recognized by FIS including 
international conventions, combined military 
operations and joint ventures. 


In one case, cleared contractor representatives staying at the same hotel reported several 

attempts to gain access to their rooms. In another incident,.a defense contractor reported a . 
family member went back to his hotel room after dinner to find-an opened notebook com- 

puterin the middle of the bed. . The computer had been stored with the luggage before din- - 


“ner. Repeat U.S. visitors have been assigned to the same room over a long period. Other 
travelers received excessively "helpful" service by host government representatives and 

hotel staffs. The majority of suspicious activity during overseas travel is reported i in rela- 
tionship to a hotel stay. : 


In other cases, short-term custodial detentions 
by host government officials occurred at air- 
ports and waterways during which foreign 
officials attempted to gain information regard- 


ing the U.S. traveler's visit. The majority of 
airport detentions occurred at only one foreign 
airport. 


Foreign Collection Methods by Technology 


Technology/MO Correlation. As mentioned — The charts below display the prevalent MOs 
in the introduction, MOs used must be viewed employed against the most sought after tech- 


in the context of the overall atmosphere of the _ nologies. 
collection operation. No one rule is applica- 
ble to all foreign collection attempts. 


Figure 3 
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Assessment of Future Trends 


DSS forecasts that countries assessed as mod- 
erately and most active in 2000, will continue 
collection operations at similar levels against 
cleared U.S. defense industry in 2001. 


DSS assesses that if cleared employees and 
cleared defense contractors do not respond to 
requests, foreign collection activities will 
employ additional MOs to include foreign vis- 
its and may also target other companies. 


Based on 2000 reporting, DSS believes that 
targeting of cleared defense industry from for- 
eign institutes, businesses and individuals 
(versus recognizable foreign government enti- 
ties) will continue. Recognizable foreign gov- 
ernment contact will decrease. DSS assesses 
that Foreign Intelligence and Security 
Services (FISS) will direct some of these col- 
lection activities. Whether FISS directed, or 
motivated by modernization, the majority of 
targeting efforts will emanate/originate from 
non-governmental entities. 


DSS has assessed that certain U.S.-based and 
foreign entities to represent foreign illicit 
trade as front companies. Some of these 
assessments were confirmed by law enforce- 
ment and non-proliferation activities. The 
majority of the confirmations involved tech- 
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nology diversion attempts to a third entity in 
embargoed nations. Some of these entities 
were foreign government/defense activities. 
DSS assesses an increase in law enforcement 
and non-proliferation activities associated 
with DSS reporting in 2001. 


DSS has identified two trends associated with 
foreign-owned cleared defense facilities. In 
several instances, after attaining favorable 
special security ratings (IAW mitigating secu- 
rity plan), foreign owner will attempt to 
exploit its position and place foreign workers 
in restricted space, disregard foreign visitor 
sign-in logs at the U.S. facility, and request 
hurried mailings that require export license. 
Several times foreign-owned U.S. facilities 
were contacted by foreign subsidiaries of the 
foreign owner. Two cases involved foreign 
requests for export-controlled information that 
may have led to product requests if cleared 
facility responded and did not report the sus- 
picious contact. DSS assesses that this 
exploitation by foreign owners will continue. 


DSS assesses that the global business environ- 
ment will continue to provide some degree of 
cover for foreign government-sponsored tar- 
geting of specific technologies and that these 
activities at foreign-owned U.S. facilities will 
increase in 2001. 


Appendix 


Suspicious Indicators and Security Countermeasures for Foreign Collection Activities 
Directed Against the U.S. Defense Industry 


FOREIGN REQUESTS FOR INFORMATION 


Foreign requests for U.S. defense industry science and technology (S&T) program information 
are the most frequently reported method of operation (MO) associated with foreign targeting 
activity. Requests frequently involve faxing, mailing, e-mailing, or telephoning to individual 
U.S. persons rather than corporate marketing departments. The requests may involve surveys or 
questionnaires and are frequently sent over the Internet. 


Indicators 


The requester: 

¢ has an e-mail address in a foreign country. 

* may be associated with an embargoed country. 

« identifies his status as a student or consultant. 

* identifies himself as a "student" seeking empathy because his nation lacks this scientific or 
technical information. 

* identifies his employer as a foreign government or the work is being done for a foreign 
government or program. 

* asks about a technology related to a defense-related program, project, or contract. 

* asks questions about defense-related programs using acronyms specific to the program. 

* insinuates that the identity of the third party he works for is "classified". 

* admits he could not get the information elsewhere because it was classified or controlled. 

* advises the recipient to disregard the request if it causes a security problem or if it is for 
information the recipient cannot provide due to security classification, export controls, and 
so forth. 

* assures the recipient that export licenses are not required or are not a problem. 

* Recipient has never met or does not normally conduct business with the sender. 

* Technology requested is classified, International Traffic in Arms Regulation (ITAR)-controlled, 
is on the Militarily Critical Technologies List, or has both commercial and military applica- 
tions. 

* Requests may be faxed or mailed to an individual vice the company marketing office. 

« Requests may exceed generally accepted terms of information. 

* Strong suspicions that a competing foreign company employs the "surveyor". 
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Recommended Security Countermeasures 


* Have a technology control plan. 

* Have a written company policy on how to respond to requests. 

¢ Brief employees not to respond to suspicious requests. 

* Brief employees to report suspicious incidents to the Facility Security Officer. 

* Review how much information you have in the open domain. 

* Ask foreigner why he wants the information, who he represents, and for what the U.S. infor- 
mation or products will be used. 


WEB-BASED REQUESTS FOR INFORMATION 


Web-based requests continue to be a significant source of foreign targeting of U.S. DoD tech- 
nologies. A wealth of once protected information is now retrievable by individuals from around 
the world. There appears to be a sharp increase in the use of web-based requests by foreign 
entities as a means to identify potential targets and to facilitate the actual collection of informa- 
tion. Web-based requests provide a simple, low cost, non-threatening, risk-free means of world- 
wide attempts to acquire U.S. DoD technology. Web-based requests are inconspicuous and can 
bypass many traditional security safeguards, thus directly reaching the target. 


Indicators 


* The cleared defense company does not normally conduct business with the foreign requestor. 

¢ The request originates from an embargoed country. 

* The request is, in fact, unsolicited or unwarranted. 

* Requestor claims to represent an official government agency but avoids proper channels to 
make the request. 

* The initial request is directed at an employee who does not know the sender and is not in the 
sales or marketing office. 

* The requestor is fishing for information. 

* Requestor represents unidentified third party. 

* The requestor is located in a country with a targeting history directed at U.S. cleared defense 
industry. 

* The requestor appears to be "skirting controls". 

* Several similar requests are made over time. 


Recommended Security Countermeasures 


* Have a technology control plan. 

* Incorporate security into web design and advertising. 

* Initiate an active monitoring solution of web site. 

* Report request to FSO and report to DSS CI for databasing purpose (in several situations, 
similar requests were received by different U.S. cleared facilities.) 
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SOLICITATION AND MARKETING OF SERVICES 


Consistent with past reporting, individuals, companies and research facilities offer their technical 
and business services to U.S. research facilities, academic institutions and the cleared defense 
industry. 


Indicators 

* Foreign "scientist" secks employment associated with sensitive defense technologies. 

* Offer to provide offshore software support. 

* Foreign government- and business-sponsored internships. 

* Invitation to cultural exchange, individual-to-individual exchange or ambassador program. 
* Offer to act as sales or purchasing agent in foreign country. 


Recommended Security Countermeasures 


* Have a technology control plan. 

* Report names of foreign scientists and engineers whose solicitation concerns classified or 
controlled research and technology. 

* Obtain recommendations and assess risks posed by software support in a foreign land. 

* Receive State Department travel briefings before departing on an exchange or ambassador 
program. 


FOREIGN ACQUISITION OF U.S. TECHNOLOGY/COMPANY 


Foreign entities try to access sensitive technologies by purchasing U.S. technology or a U.S. 
company possessing the sensitive technology/product. 


Indicators 


* Companies of political and military allies are most likely associated with this activity. 

* Foreign competitors seek a position in the U.S. company that affords access to technology. 

* New employees hired from the foreign parent company or its foreign partners ask to access 
classified data. 

* Foreign parent company attempts to circumvent the security agreement or, even earlier, avoids 
or otherwise disrupts or hinders the Foreign Ownership, Control or Influence (FOCI) process. 

* Foreign parent employees try to make exceptions to the term of the security agreement. 

Statement that license is not necessary. 

* Foreign company ask U.S. company to send information or product to another U.S.-based 
company for transfer overseas; or via FedEx, or UPS to overseas address. 


Recommended Security Countermeasures 


* Have a technology control plan. 
« Request a threat assessment from the program office. 
* Scrutinize employees hired at the behest of foreign entity. 
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* Conduct frequent checks of foreign visits to determine if foreign interests are attempting to cir- 
cumvent security agreements. 

* Provide periodic threat briefings to outside directors and user agencies. 

* Ask what U.S. based company does. Ask why company cooperates with a foreign entity. Ask 
why foreigner wants product express-mailed. Ask export officer if information/product is 
export-controlled. 


FOREIGN VISITS AT U.S. FACILITIES 


Foreign visits to cleared U.S. defense contractors can present potential security risks if sound 
risk management is not practiced. 


Indicators 


¢ A Foreign Liaison Officer or embassy official escorting a visitor attempts to conceal official 
identities during a supposedly commercial visit. 

* Hidden agendas as opposed to the stated purpose of the visit. 

« Last minute and unannounced persons added to the visiting party. 

« "Wandering" visitor who acts offended when confronted. 

* Using alternative methods. For example, if a classified visit request is disapproved, the foreign 
entity may attempt a commercial visit. 

* Visitors ask questions during briefing outside the scope of the approved visit hoping to get a 
courteous or spontaneous response. 

* Visitor claims business interest but lacks experience researching and developing this 
technology. 


Recommended Security Countermeasures 


¢ Have a technology control plan. 

* Brief foreign collection threat to all employees involved with the foreign visit. Request for- 
eign intelligence service threat assessments. 

¢ Ensure appropriate personnel, both escorts and those meeting with visitors, are briefed on the 
scope of the visit. 

* The number of escorts per visitor group should be adequate to properly control movement and 
conduct of visitors. 


EXHIBITS, CONVENTIONS AND SEMINARS 


These functions directly link programs and technologies with knowledgeable personnel. 
Conventions may provide foreign entities with targeting information to be used later. 


Indicators 


* Topics at seminars and conventions deal with classified or controlled technologies and/or 
applications. 
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* Country or organization sponsoring seminar or conference has tried unsuccessfully to visit the 
facility. 

* Receive invitation to brief or lecture in a foreign country with all expenses paid. 

Requests for presentation summary 6-12 months before seminar. 

¢ Photography and filming appear suspicious. 

* Attendees wear false nametags. 

* Casual conversation and discussions during and after these events. 


Recommended Security Countermeasures 


* Have a technology control plan. 

* Be aware of follow-up requests after a show. 

* Consider what information is being exposed, where, when, and to whom. 

* Provide employees with detailed travel briefings concerning the threat, precautions to take, and 
how to react to elicitation. 

¢ Take mock-up displays instead of real equipment. 

* Request a threat assessment from program office. 

¢ Restrict information provided to that necessary for travel and hotel accommodations. 

* Carefully consider whether equipment or software can be adequately protected. 


EXPLOITATION OF INTERNET 


Internet exploitation consists of hacking, probes, scanning, and pinging. This category is not 
related to the Internet based requests for information. The majority of cases involve probing 
efforts. Although probing a system is legal, once a port is breached a crime is committed. 


Indicators 


* Computer probes are most likely searching for potential weaknesses in systems for exploitation 
* Network attacks originated from foreign Internet service providers. 

¢ Attacks last over a period of a day. 

* Several hundred attempts are made to use multiple passwords. 


Recommended Security Countermeasures 

* Have a technology control plan. 

* Have firewall monitoring software that logs all intrusion attempts and any malicious activity. 
* Have the appropriate level of protection in place to repel such an attack. 

« When a probe is noted, heighten security alert status. 

JOINT VENTURE/ RESEARCH 


Co-production and various exchange agreements potentially offer significant opportunities for 
foreign interests to target restricted technology. 
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Indicators 


* Resident foreign representative: 
* faxes documents to an embassy or another country in a foreign language. 
* wants to access the local area network (LAN). 
* wants unrestricted access to the facility. 
* singles out company personnel to elicit information outside the scope of the project. 
¢ Enticing U.S. contractors to provide large amounts of technical data as part of the bidding 
process, only to have the contract canceled. 
* Potential technology sharing agreements during the joint venture are one-sided. 
* Foreign organization sends more foreign representatives than is necessary for the project. 


Recommended Security Countermeasures 


* Have a technology control plan. 

* Review all documents being faxed or mailed and have someone translate. 

¢ Provide foreign representatives with stand alone computers. 

* Share the minimum amount of information appropriate to the scope of the joint 
venture/research. 

¢ Extensively educate employees on the scope of the project and how to deal with and report 
elicitation. Periodic sustainment training must follow initial education. 

* Refuse to accept unnecessary foreign representatives into the facility. 


TARGETING OF U.S. CONTRACTORS ABROAD 


Suspicious activity occurs on collector's home territory leaving U.S. travelers vulnerable to 
exploitation, including that by Foreign Intelligence Services (FIS). Frequently, FIS recognize 
U.S. travelers who are engaged in international conventions, support to combined military oper- 
ations, and joint ventures. 


Indicators 


* Technical means (for example, electronic surveillance). 

¢ Entrapment schemes such as honeytrap, black market and extortion. 
* Repeat stays in the same room of the same hotel. 

* Several attempts are made to access room by service personnel. 

« Excessively helpful assistance. 

* Undue questioning by port authorities. 


Recommended Security Countermeasures 
* Have a technology control plan 


* Cleared defense contractors should review the type and amount of information he/she provides 
and withhold non-essential biographic and other data requested by the host. 
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WORK OFFERS 


Foreign scientists, students, and engineers will offer their services to research facilities, 
academic institutions, and even cleared defense contractors. This may be a MO to place a for- 
eign national inside the facility to collect information concerning a desired technology. 


Indicators 


* Foreign applicant has a scientific or engineering background in a technical area for which 
his/her country has been identified as having a collection requirement. 

* Foreign applicant offers services for "free," stating that a foreign government agency, military 
activity, university, or corporation is paying expenses. 

* Foreign intern (students working on masters or doctorate) offers to work without pay under a 
knowledgeable individual, usually for a period of 2-3 years. 

* The technology in which the foreign individual wants to work or conduct research is frequently 
related to, or may be classified, ITAR , MCTL or export-controlled. 


Recommended Security Countermeasures 


* Have a technology control plan. 

* Provide employees periodic security awareness briefings about long-term foreign visitors. 

* Check backgrounds and references of foreign job, research and intern applicants. 

* Request a threat assessment from the program office whose goals are associated with the 
foreign interest. 


CO-OPTING FORMER EMPLOYEES 


Former employees who had access to sensitive, proprietary, or classified S&T program informa- 
tion remain a potential counterintelligence concern. Targeting cultural commonalties to establish 
rapport is often associated with this collection attempt. Former employees may be viewed as 
excellent prospects for collection operations and considered less likely to feel obliged to comply 
with U.S. Government or corporate security requirements. 


Indicators 

* Former employee takes a job with a foreign company working on the same technology. 

¢ Former employee maintains contact with former company and employees. 

« An employee alternates working with U.S. companies and foreign companies every few years. 
Recommended Security Countermeasures 

« Have a technology control plan 


* Brief employees to be alert to actions of former employees returning to the facility. 
* Have a policy concerning visitation or contacts with current employees by former employees. 
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* Debrief former employees upon termination of employment and reinforce their legal 
responsibilities to protect classified, proprietary, and export-controlled information. 


TARGETING CULTURAL COMMONALITIES 


Foreign entities exploit the cultural background of company personnel, visitors and visited, to 
elicit information. 


Indicators 


¢ Employees receive unsolicited greetings or other correspondence from embassy, company, 
or country of family’s origin. 

* Employees receive invitations to visit country of family’s origin for purpose of providing 
lecture or receiving an award. 

+ Foreign visitors single out company personnel of same cultural background with whom to 
work or socialize. 


Recommended Security Countermeasures 
* Have a technology control plan. 
* Brief all employees on this MO and address it in the company reporting policy. 


* Monitor foreign visitor activities for indications of their targeting of company personnel. 
* Report suspected targeting as early as possible to minimize potential problems. 


33 


